Cisco Secure Malware Analytics - XDR incident and notification
This scheduled workflow executes a search query in Cisco Secure Malware Analytics for new private samples submitted and convinced as malicious. It then creates a Cisco XDR incident if the sample has been seen on your organisation's assets by one of your integrated modules. Optionally, it can send a notification in Cisco Webex. You can choose to create a Cisco XDR incident and receive a notification even if no internal target has been found. However, this setting may generate noise and lead to alert fatigue.
Description
This scheduled workflow executes a search query in Cisco Secure Malware Analytics for new private samples submitted and convinced as malicious. It then creates a new Cisco XDR incident if the sample has been seen on your organization's assets by one of your integrated modules.
Optionally, it can send a notification in Cisco Webex.
Targets
This workflow requires targets provided by the Cisco XDR Integration Modules.
You can proceed to the next install step without specifying a target, but the workflow will be invalid until it is updated with a valid target.
Notes.
You can choose to create a Cisco XDR incident and receive a notification even if no internal target has been found. However, this is not the recommended settings as it may generate noise and lead to alert fatigue.
The workflow is designed to run every X minutes, but you need to add the automation rule yourself. It can also be run manually on-demand
Before running for the first time, Verify/Modify the global variable “Secure Malware Analytics - Last Sample date”. The workflow will start to collect sample submitted after this date.
The workflow includes a custom atomic action : "Get Unique Table Values".
Steps
- Search in Cisco Secure Malware Analytic for new private samples with score higher than 85 and get Samples ID, submission date, File Names and File SHA256
- If no new sample since last run : Complete Success
- If Webex Notification Enable and no Room ID - Get room ID by name
- For each new sample :
- Check if SHA256 already in Stat table : Global Variable "Secure Malware Analytics - Sha256 Table"
- If new sha256 :
- If input variable "XDR Incident - only if seen on Internal Assets" set to true :
- Create XDR investigation and search for Assets
- If Assets Found :
- Get Sample Report from Cisco SMA
- Extract and Parse Behavioural Indicators, Mitre Tactics
- Create Sighting
- Search for Indicator in Private Intelligence, if exist then get id and create relationship with sighting, if not create indicator and relationship
- Create XDR Incident
- If Webex notification Enable and Only on Incident set to True, notify in Webex Room with XDR incident link
- If Webex notification Enable and Only on Incident set to False, notify in Webex Room (no incident)
- If input variable "XDR Incident - only if seen on Internal Assets" set to false :
- Get Sample Report from Cisco SMA
- Extract and Parse Behavioural Indicators, Mitre Tactics
- Create Sighting
- Search for Indicator in Private Intelligence, if exist then get id and create relationship with sighting, if not create indicator and relationship
- Create XDR Incident
- If Webex notification Enable, notify in Webex Room with XDR incident link
- If input variable "XDR Incident - only if seen on Internal Assets" set to true :
This workflow requires the following targets to be available before it can be run.
Integration targets
- Secure Malware Analytics
- Webex
- Cisco XDR
